vdavid
diff --git a/‎AGENTS.md‎
Lines changed: 3 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎apps/desktop/coverage-allowlist.json‎
Lines changed: 9 additions & 0 deletions b/‎apps/desktop/coverage-allowlist.json‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/CLAUDE.md‎
Lines changed: 1 addition & 0 deletions b/‎apps/desktop/src-tauri/src/commands/CLAUDE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/crash_reporter.rs‎
Lines changed: 66 additions & 0 deletions b/‎apps/desktop/src-tauri/src/commands/crash_reporter.rs‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/mod.rs‎
Lines changed: 1 addition & 0 deletions b/‎apps/desktop/src-tauri/src/commands/mod.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/crash_reporter/CLAUDE.md‎
Lines changed: 87 additions & 0 deletions b/‎apps/desktop/src-tauri/src/crash_reporter/CLAUDE.md‎
Lines changed: 87 additions & 0 deletions
@@ -61,6 +61,9 @@ Core structure:
 - **Logging**: Frontend and backend logs appear together in terminal and in
   `~/Library/Logs/com.veszelovszki.cmdr/`. Full reference with `RUST_LOG` recipes:
   [docs/tooling/logging.md](docs/tooling/logging.md).
+- **Crash reports**: When the app crashes, it writes a crash file to the data dir (`crash-report.json` alongside
+  `settings.json`). On next launch, the app detects this file and offers to send a crash report. See
+  `src-tauri/src/crash_reporter/CLAUDE.md` for architecture details.
 - **Hot reload**: `pnpm dev` hot-reloads. Max 15s for Rust, max 3s for frontend.
 - **Index DB queries**: The index SQLite DB uses a custom `platform_case` collation, so the `sqlite3` CLI can't query
   it. Use `cargo run -p index-query -- <db_path> "<sql>"` instead. See
 
@@ -216,6 +216,15 @@
         },
         "ui/ProgressOverlay.svelte": {
             "reason": "Pure UI component, no logic to test beyond rendering"
+        },
+        "crash-reporter/CrashReportDialog.svelte": {
+            "reason": "UI dialog, depends on Tauri commands for send/dismiss"
+        },
+        "crash-reporter/CrashReportToastContent.svelte": {
+            "reason": "UI toast content, depends on Tauri window APIs"
+        },
+        "tauri-commands/crash-reporter.ts": {
+            "reason": "Tauri command wrappers, tested via integration"
         }
     }
 }
@@ -24,6 +24,7 @@ immediately to business-logic modules. No significant logic lives here.
 | `licensing.rs` | Licensing | Status query, activation, expiry, reminder, key validation |
 | `indexing.rs` | Drive index | `start_drive_index`, `stop_drive_index`, `get_index_status`, `get_dir_stats`, `get_dir_stats_batch`, `clear_drive_index`, `set_indexing_enabled`, `get_index_debug_status` (dev-only extended stats). Uses `State<IndexManagerState>`. |
 | `clipboard.rs` | Clipboard file ops | `copy_files_to_clipboard`, `cut_files_to_clipboard`, `read_clipboard_files`, `clear_clipboard_cut_state`. macOS uses NSPasteboard via `clipboard::pasteboard`; non-macOS stubs return errors. |
+| `crash_reporter.rs` | Crash reporting | `check_pending_crash_report`, `dismiss_crash_report`, `send_crash_report`. Delegates to `crash_reporter` module. Send is skipped in dev/CI. |
 | `search.rs` | Drive search | `prepare_search_index`, `search_files`, `release_search_index`, `translate_search_query`, `parse_search_scope`. Thin wrappers over `indexing::search` module. Post-filters directory sizes after `fill_directory_sizes`. AI search uses single-pass classification prompt → `ai_response_parser` → `ai_query_builder` pipeline. |
 | `ai_response_parser.rs` | AI search parser | Key-value line parser for LLM classification responses. Validates enum fields, extracts keywords. Fallback keyword extraction when LLM fails. |
 | `ai_query_builder.rs` | AI search builder | Maps parsed LLM enums (type, time, size, scope) into `SearchQuery` fields. Merges keywords + type into single regex pattern. Deterministic date/size computation. |
 
@@ -0,0 +1,66 @@
+//! Crash reporter Tauri commands.
+//!
+//! Thin wrappers for crash file detection, dismissal, and sending.
+
+use crate::config;
+use crate::crash_reporter;
+
+/// Server URL for crash report ingestion.
+#[cfg(debug_assertions)]
+const CRASH_REPORT_URL: &str = "http://localhost:8787/crash-report";
+
+#[cfg(not(debug_assertions))]
+const CRASH_REPORT_URL: &str = "https://license.getcmdr.com/crash-report";
+
+/// Checks for a pending crash report from a previous session.
+/// Returns the report as a JSON value, or `null` if none exists.
+#[tauri::command]
+pub fn check_pending_crash_report(app: tauri::AppHandle) -> Option<serde_json::Value> {
+    let report = crash_reporter::take_pending_crash_report(&app)?;
+    serde_json::to_value(report).ok()
+}
+
+/// Deletes the crash report file without sending it.
+#[tauri::command]
+pub fn dismiss_crash_report(app: tauri::AppHandle) {
+    let Ok(data_dir) = config::resolved_app_data_dir(&app) else {
+        return;
+    };
+    let crash_path = data_dir.join("crash-report.json");
+    let _ = std::fs::remove_file(crash_path);
+}
+
+/// Sends the crash report to the ingestion server, then deletes the local file.
+/// Skipped in dev mode and CI to avoid polluting production data.
+#[tauri::command]
+pub async fn send_crash_report(app: tauri::AppHandle, report: serde_json::Value) -> Result<(), String> {
+    let should_skip = cfg!(debug_assertions) || std::env::var("CI").is_ok();
+
+    if !should_skip {
+        let client = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(10))
+            .build()
+            .map_err(|e| format!("Couldn't create HTTP client: {e}"))?;
+
+        let response = client
+            .post(CRASH_REPORT_URL)
+            .json(&report)
+            .send()
+            .await
+            .map_err(|e| format!("Couldn't send crash report: {e}"))?;
+
+        if !response.status().is_success() {
+            return Err(format!("Crash report server returned {}", response.status()));
+        }
+    } else {
+        log::info!("Crash reporter: skipping send (dev mode or CI)");
+    }
+
+    // Delete the local crash file after successful send (or skip)
+    if let Ok(data_dir) = config::resolved_app_data_dir(&app) {
+        let crash_path = data_dir.join("crash-report.json");
+        let _ = std::fs::remove_file(crash_path);
+    }
+
+    Ok(())
+}
@@ -3,6 +3,7 @@
 pub mod ai_query_builder;
 pub mod ai_response_parser;
 pub mod clipboard;
+pub mod crash_reporter;
 pub mod e2e;
 pub mod file_system;
 pub mod file_viewer;
 
@@ -0,0 +1,87 @@
+# Crash reporter
+
+Lightweight, privacy-respecting crash reporting. Captures crash data locally, then offers to send it on next launch.
+
+## Architecture
+
+Two capture paths handle different crash types:
+
+- **Panic hook** (`mod.rs`): Catches Rust `panic!`/`unwrap()`/`expect()` failures. Runs in normal Rust code, so it has
+  full stdlib access. Captures `std::backtrace::Backtrace`, sanitized panic message, thread info, and app metadata.
+  Writes a JSON crash file to the app data dir.
+- **Signal handler** (`mod.rs`): Catches SIGSEGV, SIGBUS, SIGABRT (like stack overflows). Runs in an async-signal-safe
+  context, so it can only capture raw instruction pointer addresses and write them as raw bytes to a pre-opened fd.
+  Symbolication happens on next launch.
+
+Both paths write to `crash-report.json` in the app data dir (same dir as `settings.json`, resolved by
+`resolved_app_data_dir()`).
+
+## Crash file lifecycle
+
+1. App crashes, handler writes `crash-report.json`
+2. Next launch: `check_pending_crash_report` finds the file, parses it (defensively, discards if corrupt)
+3. If `updates.crashReports` is `true`: auto-send and show a toast
+4. Otherwise: show a dialog letting the user inspect and choose to send or dismiss
+5. File is deleted after send or dismiss
+
+## Key design decisions
+
+- **Opt-in only** (`updates.crashReports` defaults to `false`). Consistent with the "no telemetry" stance.
+- **No PII, ever.** Panic messages are sanitized to strip file paths before writing. No file names, usernames, device
+  IDs, or license keys are included.
+- **Dev mode: capture only, never send.** Crash files are written (useful for testing), but the send path is skipped to
+  avoid polluting production data.
+- **Crash loop protection**: If the crash file's timestamp is less than five seconds before the current launch, skip
+  auto-send and show the dialog instead.
+- **Radical transparency**: The dialog shows the exact JSON payload before sending.
+
+## What we send
+
+- Full symbolicated backtrace (function names + offsets, not file paths)
+- Exception type + signal, faulting address
+- App version, macOS version, CPU architecture
+- App uptime, thread count
+- Sanitized panic message
+- Active feature flags (booleans/enums only: `indexing.enabled`, `ai.provider`, `developer.mcpEnabled`,
+  `developer.verboseLogging`)
+
+## What we never send
+
+- File paths, volume names, environment variables, window titles
+- License key, transaction ID, device ID
+- Register dump, heap contents
+
+## Files
+
+| File               | Purpose                                                              |
+| ------------------ | -------------------------------------------------------------------- |
+| `mod.rs`           | Panic hook, signal handler registration, crash file read/write       |
+| `symbolicate.rs`   | Next-launch symbolication of raw addresses from signal handler       |
+| `tests.rs`         | Unit + integration tests for crash file I/O, sanitization, signals   |
+
+### Commands and frontend (milestone 2)
+
+| File                                               | Purpose                                                          |
+| -------------------------------------------------- | ---------------------------------------------------------------- |
+| `commands/crash_reporter.rs`                       | Tauri commands: check, dismiss, send crash reports               |
+| `src/lib/tauri-commands/crash-reporter.ts`         | TypeScript wrappers for the three Tauri commands                 |
+| `src/lib/crash-reporter/CrashReportDialog.svelte`  | Dialog: shows report, expandable details, send/dismiss buttons   |
+| `src/lib/crash-reporter/CrashReportToastContent.svelte` | Toast content for auto-sent crash reports                   |
+
+The startup flow in `(main)/+layout.svelte` calls `checkPendingCrashReport` after settings are loaded. If
+`updates.crashReports` is true and it's not a crash loop, it auto-sends and shows a toast. Otherwise, it shows the
+dialog.
+
+## Gotchas
+
+- `unwrap()` on `io::Error` embeds the file path in the panic message. The sanitizer must strip path-like patterns
+  (`/Users/...`, `C:\...`, home dir prefixes) before writing.
+- The signal handler's pre-opened fd becomes stale if the app data dir is deleted while the app runs. This is acceptable
+  since it requires deliberate user action and only loses one crash report.
+- Raw addresses from the signal handler are only useful for symbolication if the app version hasn't changed between crash
+  and relaunch. If versions differ, send raw addresses only (still useful for grouping).
+- Signal handler raw addresses are absolute virtual addresses, randomized by ASLR on each launch. True symbolication
+  would require storing the binary's image base address in the crash file, which isn't done yet. For now, raw addresses
+  are formatted as hex and are useful for grouping identical crash sites across reports.
+- The signal handler uses `execinfo.h`'s `backtrace()` which is async-signal-safe on macOS. On Linux, glibc's
+  implementation is also safe in practice but not guaranteed by POSIX.
Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,15 @@`
`216`	`216`	`},`
`217`	`217`	`"ui/ProgressOverlay.svelte": {`
`218`	`218`	`"reason": "Pure UI component, no logic to test beyond rendering"`
	`219`	`+ },`
	`220`	`+ "crash-reporter/CrashReportDialog.svelte": {`
	`221`	`+ "reason": "UI dialog, depends on Tauri commands for send/dismiss"`
	`222`	`+ },`
	`223`	`+ "crash-reporter/CrashReportToastContent.svelte": {`
	`224`	`+ "reason": "UI toast content, depends on Tauri window APIs"`
	`225`	`+ },`
	`226`	`+ "tauri-commands/crash-reporter.ts": {`
	`227`	`+ "reason": "Tauri command wrappers, tested via integration"`
`219`	`228`	`}`
`220`	`229`	`}`
`221`	`230`	`}`